由於關於此過程的文檔非常含糊且令人困惑(或舊),因此我想驗證我是否正確地執行了操作並且沒有錯過任何步驟。Forms身份驗證理解context.user.identity
我想創建一個安全的登錄系統,在瀏覽器關閉時過期。
- 在我的web.config我有以下 -
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx" defaultUrl="Index.aspx" name=".ASPXFORMSAUTH" timeout="100" />
</authentication>
<authorization>
<allow users="?" />
</authorization>
<machineKey decryption="AES" validation="SHA1" validationKey.......... />
所以我有一個用戶名/密碼文本框登錄表單,這個按鈕:
<asp:Button ID="LoginButton" runat="Server" OnClick="Login_Authenticate" Text="Sign in" />
裏面Login_Authenticate我做如下:
protected void Login_Authenticate(object sender, EventArgs e){
string userName = UserName.Text;
string password = Password.Text;
bool Authenticated = false;
// Here's code that makes sure that Username and Password is CORRECT
if(AuthClass.Authenticate(userName, password)){
Authenticated = true;
}
// error checking does happen here.
if (Authenticated)
{
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, userName, DateTime.Now, DateTime.Now.AddMinutes(30), rememberUserName, String.Empty, FormsAuthentication.FormsCookiePath);
string encryptedCookie = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedCookie);
cookie.Expires = DateTime.Now.AddMinutes(30);
Response.Cookies.Add(cookie);
//FormsAuthentication.RedirectFromLoginPage(userName, false);
Response.Redirect("MainPage.aspx");
}
}
---在MasterPage.master.cs中我有以下檢查Page_Init( )---
if (Context.User.Identity.IsAuthenticated)
{
int userid = (int)Session["userid"];
if (userid == null)
{
userid = GetUserID(Context.User.Identity.Name);
if (userid != null)
{
Session["userid"] = userid;
}
}
}
編輯: --- Global.asax中;一些代碼,我不太清楚是正確的或不知道它做什麼
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
// look if any security information exists for this request
if (HttpContext.Current.User != null)
{
// see if this user is authenticated, any authenticated cookie (ticket) exists for this user
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
// see if the authentication is done using FormsAuthentication
if (HttpContext.Current.User.Identity is FormsIdentity)
{
// Get the roles stored for this request from the ticket
// get the identity of the user
FormsIdentity identity = (FormsIdentity)HttpContext.Current.User.Identity;
//Get the form authentication ticket of the user
FormsAuthenticationTicket ticket = identity.Ticket;
//Get the roles stored as UserData into ticket
string[] roles = { };
//Create general prrincipal and assign it to current request
HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(identity, roles);
}
}
}
}
---從那時起,每一頁上,我使用會話用戶ID來收集用戶信息和內容,並確保用戶具有適當的身份驗證和組角色權限。
這一切是否正確?或者我必須在任何地方解密任何東西?
這足以讓一個安全的用戶登錄?還是應該不打擾表單身份驗證,並找到我自己的方式來製作自己的cookie並自行管理它?
如果什麼代碼失敗總是驗證方返回布爾認證=假真; //這是確保用戶名和密碼是CORRECT Authenticated = true的代碼;這是你在頂部..但如果代碼失敗它從來沒有設置認證回false。 – MethodMan 2012-01-10 21:11:51
@DJKRAZE代碼確實將其設置爲false,如果有錯誤。我只是沒有包含檢查用戶名/密碼的冗長代碼。 Authenticated = true只有在一切成功時纔會發生。 – Dexter 2012-01-10 21:13:58
增加了一些更多的澄清代碼,包括我使用的Global.asax代碼。我不知道它是否工作,我很困惑。 – Dexter 2012-01-10 21:25:03